WiFi Aggregation and Offload — Basic Open SSID
This chapter provides information about WiFi Aggregation and Offload — Basic Open SSID.
Topics in this chapter include:
Applicability
The information and configuration in this chapter are based on SR OS Release 12.0.R5.
Overview
WiFi Aggregation and Offload functionality for the 7750 SR is supported on SR OS 10.0.R3 or later. The functionality includes a RADIUS proxy server with a RADIUS proxy cache and support for soft-GRE tunnels.
WLAN-GW subscribers are implemented using Enhanced Subscriber Management (ESM) on the Control Processing Module (CPM), to benefit from the extensive ESM features available on the 7750 SR platform. Many different WiFi Offload configurations are possible, with the two most versatile configurations being open and secure Service Set Identifier (SSID).
This configuration should be used as a starting point for operators who need to offer an open SSID, where any client can connect to an Access Point (AP) and obtain an IP address without authentication. In most cases, operators want users to go through an authentication process before allowing full Internet access using the open SSID; therefore, this configuration also includes a web portal.
IP address assignment and Internet connectivity can be achieved using various methods in SR OS. In this configuration, a local DHCP server provides IP addresses to the User Equipment (UE) and routing to the Internet is performed using Global Routing Table (GRT) leaking.
Several considerations typically affect the choice of a WiFi Offload solution:
Access can be free or paid.
Equipment can be preconfigured or users can bring their own WiFi device.
When there is no pre-existing subscription, an open SSID is the most obvious solution. To provide a paywall or to have the user acknowledge certain terms of use due to legal reasons, a web portal may also be required.
When a web portal is implemented, users who connect to the open SSID which are not yet authenticated have all their web traffic redirected to the web portal landing page. This is performed using an http-redirect filter applied to the initial (limited) Service Level Agreement (SLA) profile assigned to the UE. Typically, the operating system of the UE will detect the presence of the web portal and automatically open the login page for the user. When the user logs in, the web portal sends a RADIUS Change of Authorization (CoA) request to the WLAN-GW, changing the SLA profile to one that does not contain an http-redirect filter.
Besides authentication, a major consideration is the method used to achieve Internet connectivity. Will the users require public addresses or are private addresses sufficient? In case few public IP addresses are available, private IP addresses can be assigned to UEs and the WLAN-GW can perform a Network Address Translation (NAT) function. If public routable IP addresses can be made available to all UEs, traffic from the UEs can be routed by the WLAN-GW to the Internet.
When a UE connects to an open SSID (as shown in Call Flow for Open SSID), typically the UE attempts to obtain an IP address using Dynamic Host Configuration Protocol (DHCP). The WLAN-GW can serve as a DHCP relay or proxy and may obtain the IP address from an external source, or use a local DHCP server function. A DHCP Discover or Request packet from a UE will trigger a form of authentication where the WLAN-GW requests information about the UE, such as SLA profile or DHCP local pool name. This authentication is separate from the web portal authentication and occurs immediately when a UE connects.
In summary:
DHCP Discover triggering RADIUS authentication
DHCP completes and UE has SLA profile with limited access
UE logs into a web portal
Successful login causes the portal to send a RADIUS CoA which assigns an SLA profile with full access
The SR OS is flexible in allowing the operator to separate the various WiFi Offload functions between different routing instances. All functions can be configured in the same routing instance, or as shown in WiFi Offload Scenario with Open SSID and Local DHCP Server, the connectivity to the APs (and soft-GRE tunnels) can be provided in one Virtual Private Routed Network (VPRN), the users can be instantiated in another VPRN, and Authentication, Authorization and Accounting (AAA) access can be provided in yet another routing instance (in this case, the Base router). This clear separation of functions can enhance security; for example, by separating user traffic from authentication traffic.
Configuration
The WiFi offload scenario shown in WiFi Offload Scenario with Open SSID and Local DHCP Server has following characteristics:
Open SSID with web portal authentication
Local breakout to Internet using GRT leaking, routing through Base routing instance
Same private IP address assigned to all UEs, with L2-aware NAT
AP access in VPRN 1000
UEs terminated in VPRN 2005
Local DHCP server assigning public IP addresses
WLAN-GW
Note that the uplink interface, Interior Gateway Protocol (IGP), and system configuration is outside the scope of this document.
The following card and Media Dependent Adapter (MDA) configuration shows only the WLAN-Input/Output Module (IOM). An IOM card containing two Multi-Service Integrated Service Adapter (MS-ISA) cards provides the WLAN-GW functionality. The MDA type for the ISA cards is isa-bb, the same type that is used for NAT.
*A:WLAN-GW# /configure card 2
*A:WLAN-GW>config>card# info
----------------------------------------------
card-type iom3-xp-b
mda 1
mda-type isa-bb
no shutdown
exit
mda 2
mda-type isa-bb
no shutdown
exit
no shutdown
----------------------------------------------
The following ISA configuration defines a wlan-gw-group referencing the IOM in slot two which hosts the two MS-ISA cards and providing the WLAN-GW functions.
A:WLAN-GW# /configure isa
A:WLAN-GW>config>isa# info
----------------------------------------------
wlan-gw-group 1 create
active-iom-limit 1
iom 2
no shutdown
exit
----------------------------------------------
The following is a RADIUS server configuration, where the secret must match the secret configured on the external RADIUS server. The accept-coa option must be configured to allow the change of SLA profile by the web portal using a CoA request.
*A:WLAN-GW# /configure router radius-server
*A:WLAN-GW>config>router>radius-server# info
----------------------------------------------
server "Server2" address 10.43.186.2 secret "zmLYVgt8UOLypJamceNSSHDWbZproq7Y" hash2 create
accept-coa
exit
----------------------------------------------
The following AAA configuration contains a RADIUS server policy used in the authentication policy. The source address must match the IP address configured for this client on the RADIUS server.
*A:WLAN-GW# /configure aaa
*A:WLAN-GW>config>aaa# info
----------------------------------------------
radius-server-policy "RS_5" create
servers
router "Base"
source-address 10.10.10.165
server 1 name "Server2"
exit
exit
----------------------------------------------
The following policy configuration is used for exporting routes so that they are reachable by the public network. These policies are used for exporting UE routes in subsequent configuration sections.
*A:WLAN-GW# /configure router policy-options
*A:WLAN-GW>config>router>policy-options# info
----------------------------------------------
prefix-list "WiFi-clients"
prefix 10.165.0.0/16 longer
exit
policy-statement "WiFi-clients"
entry 10
from
prefix-list "WiFi-clients"
exit
action accept
exit
exit
exit
----------------------------------------------
The uplink network configuration is outside the scope of this document. However, note that the IGP (here ISIS) must be aware of the UE addresses so that they are accessible from the Internet.
*A:WLAN-GW# /configure router isis
*A:WLAN-GW>config>router>isis# info
----------------------------------------------
export "WiFi-clients"
----------------------------------------------
The following IP filter redirects all HTTP traffic to the web portal. The filter should also allow DNS and potentially other traffic, so the entry that allows TCP port 80 traffic to the web portal address must be placed before the entry that redirects all traffic to that portal; otherwise, there will be a redirect loop.
The HTTP redirect URL also includes a parameter that provides the MAC address of the UE to the web portal. In this configuration, either $MAC or $SUB can be used since both variables contain the MAC address of the UE. The web portal can reply with a CoA request specifying this particular UE MAC as the Subscriber ID after successful login. The URL also returns the IP address of the WLAN-GW to the web portal, so that the portal knows which WLAN-GW to send the CoA request to.
*A:WLAN-GW# /configure filter
*A:WLAN-GW>config>filter# info
----------------------------------------------
ip-filter 2005 create
default-action forward
entry 70 create
match protocol udp
dst-port eq 53
exit
action forward
exit
entry 80 create
match protocol icmp
exit
action forward
exit
entry 90 create
match protocol tcp
dst-ip 10.43.186.2/32
dst-port eq 80
exit
action forward
exit
entry 100 create
match protocol tcp
dst-port eq 80
exit
action http-redirect "http://portal2.3ls.net/portal-no-login.php?gw=10.10.10.165&mac=$SUB"
exit
exit
The following is a subscriber management configuration, with the RADIUS authentication policy used to authenticate DHCP requests, including the accept-authorization-change option to allow for SLA profile change after portal authentication. This DHCP authentication request also sends the NAS ID attribute that allows the RADIUS server to match on the configuration for this particular SSID. All UEs will be authenticated with their MAC address as user name, and alcatel as their password (any DHCP request will result in a successful authentication).
Two SLA profiles are required: profile SLAP_5_portal is initially used for each UE and refers to the portal redirect filter, while profile SLAP is applied using a CoA request after the user successfully authenticates on the web portal. A subscriber identity policy is also required.
configure subscriber-mgmt
authentication-policy "WiFi-165-5-auth-policy" create
password alcatel
accept-authorization-change
include-radius-attribute
nas-identifier
exit
radius-server-policy "RS_5"
exit
sla-profile "SLAP" create
exit
sla-profile "SLAP_5_portal" create
ingress
ip-filter 2005
exit
exit
sub-profile "SUBP" create
exit
sub-ident-policy "SIP" create
sub-profile-map
use-direct-map-as-default
exit
sla-profile-map
use-direct-map-as-default
exit
exit
The following VPRN 1000 configuration contains the interface to the AP, and has GRT lookup with export-grt configured to allow APs to be managed from the Base routing instance.
*A:WLAN-GW# /configure service vprn 1000
*A:WLAN-GW>config>service>vprn# info
----------------------------------------------
route-distinguisher 65400:1000
interface "toAP3" create
address 10.1.3.1/24
sap 1/1/10 create
exit
exit
grt-lookup
enable-grt
static-route 0.0.0.0/0 grt
exit
export-grt "WiFi-APs"
exit
no shutdown
----------------------------------------------
VPRN 2005 is used for UE termination and contains:
A local DHCP server with a single pool of addresses that are assigned to UEs.
A loopback interface used by the DHCP server.
A subscriber interface and group interface of type wlangw (called softgre prior to Release 12.0).
Subscriber parameters.
The authentication policy, which will run each time a UE requests a DHCP address.
The host-connectivity-verify function, which periodically checks the presence of UEs and quickly removes disconnected UEs even before their DHCP lease expires; the WLAN-GW has no other way of knowing when a UE has disconnected from the AP.
The wlan-gw CLI-node (called soft-gre prior to Release 12.0), including the wlan-gw GRE tunnel end-point address,and the routing instance where AP traffic is terminated, the ISA WLAN-GW group, and mobility parameters, which allow the UE state to be kept if the UE moves between two APs broadcasting the same SSID.
GRT lookup with export-grt configured to allow UE traffic to be routed to the Internet.
*A:WLAN-GW# /configure service vprn 2005 *A:WLAN-GW>config>service>vprn# info ---------------------------------------------- description "WiFi-165-5 Open SSID" dhcp local-dhcp-server "local_dhcp_2005" create use-pool-from-client pool "pool1" create max-lease-time hrs 1 options dns-server 10.43.186.43 exit subnet 10.165.5.0/25 create options subnet-mask 255.255.255.128 default-router 10.165.5.1 exit address-range 10.165.5.2 10.165.5.99 exit exit no shutdown exit exit route-distinguisher 65400:2005 interface "dhcp-server" create address 10.0.0.1/24 local-dhcp-server "local_dhcp_2005" loopback exit subscriber-interface "SI5" create address 10.165.5.1/24 group-interface "GI5" wlangw create sap-parameters sub-sla-mgmt def-sla-profile "SLAP_5_portal" def-sub-profile "SUBP" sub-ident-policy "SIP" exit exit dhcp option action replace circuit-id no remote-id vendor-specific-option pool-name exit exit server 10.0.0.1 trusted lease-populate 10000 gi-address 10.165.5.1 no shutdown exit authentication-policy "WiFi-165-5-auth-policy" host-connectivity-verify interval 5 action remove wlan-gw gw-address 192.5.5.5 mobility trigger data iapp exit router 1000 wlan-gw-group 1 no shutdown exit exit exit grt-lookup enable-grt exit export-grt "WiFi-clients" exit no shutdown
Freeradius
This simple default configuration section matches on any host. During the DHCP authentication phase, RADIUS returns the DHCP pool name pool1 informing the WLAN-GW DHCP server which pool to assign the UE IP address from:
/etc/freeradius/users
DEFAULT Auth-Type := Local, User-Password := "alcatel", user-name=~""
Alc-Subsc-ID-Str = "%{User-Name}",
Framed-Pool = "pool1",
In /etc/freeradius/clients.conf, the secret must match the secret configured in the WLAN-GW RADIUS server configuration.
client 10.10.10.165 {
secret = alcatel
shortname = WLAN-GW
}
The RADIUS CoA sent during successful portal login allows this UE full access, by applying SLA profile SLAP which does not have an http-redirect filter.
echo "ALC-Subsc-Id-Str='68:7f:74:8b:3d:d7',ALC-Subsc-Prof-Str='SUBP_5',ALC-SLA-Prof-Str='.SLAP',Alc-Primary-Dns = '10.43.186.43'" | /usr/bin/radclient -x -r 1 -t 2 '10.10.10.165' coa 'alcatel'
Access Points
At a minimum, the following must be configured on the Access Point:
IP address 10.1.3.10/24
Default route to 10.1.3.1
Open SSID WiFi-165-5 mapped to VLAN 50
Soft-GRE tunnel with destination 192.5.5.5, with VLAN 50 mapped to this tunnel
Show Commands
The following show commands reflect the status of the router after the UE has connected and obtained an IP address using DHCP.
The following output displays the UEs presently connected.
*A:WLAN-GW# show subscriber-mgmt wlan-gw ue
===============================================================================
User Equipments
===============================================================================
MAC address : 68:7f:74:8b:3d:d7
-------------------------------------------------------------------------------
VLAN Q-tag : 50
MPLS label : (Not Specified)
Tunnel router : 1000
Tunnel remote IP address : 10.1.3.10
Tunnel local IP address : 192.5.5.5
Retail service : N/A
SSID : (Not Specified)
Previous Access Point IP : (Not Specified)
IMSI : (Not Specified)
Last move time : 2014/09/22 10:47:58
-------------------------------------------------------------------------------
No. of UE: 1
===============================================================================
The DHCP lease information indicates that the address was assigned by the local DHCP server.
*A:WLAN-GW# show service id 2005 dhcp lease-state
===============================================================================
DHCP lease state table, service 2005
===============================================================================
IP Address Mac Address Sap/Sdp Id Remaining Lease MC
LeaseTime Origin Stdby
-------------------------------------------------------------------------------
10.165.5.2 68:7f:74:8b:3d:d7 [2/1/nat-out-ip:20* 00h59m27s DHCP
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
* indicates that the corresponding row element may have been truncated.
DHCP statistics can be displayed using following command.
*A:WLAN-GW# show service id 2005 dhcp statistics
====================================================================
DHCP Global Statistics, service 2005
====================================================================
Rx Packets : 2
Tx Packets : 2
Rx Malformed Packets : 0
Rx Untrusted Packets : 0
Client Packets Discarded : 0
Client Packets Relayed : 2
Client Packets Snooped : 0
Client Packets Proxied (RADIUS) : 0
Client Packets Proxied (User-Db) : 0
Client Packets Proxied (Lease-Split) : 0
Server Packets Discarded : 0
Server Packets Relayed : 2
Server Packets Snooped : 0
DHCP RELEASEs Spoofed : 0
DHCP FORCERENEWs Spoofed : 0
====================================================================
The route table for the routing instance where UEs are terminated shows an entry for the UE.
*A:WLAN-GW# show router 2005 route-table
===============================================================================
Route Table (Service: 2005)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.0.0.0/24 Local Local 00h32m12s 0
dhcp-server 0
10.165.5.0/24 Local Local 00h27m20s 0
SI5 0
10.165.5.2/32 Remote Sub Mgmt 00h00m33s 0
[GI5] 0
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
The active subscribers view shows the initial limited SLA profile SLAP_5_portal before the user has logged in to the portal.
*A:WLAN-GW>config>service>vprn# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber 68:7f:74:8b:3d:d7 (SUBP)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[2/1/nat-out-ip:2049.3] - sla:SLAP_5_portal
-------------------------------------------------------------------------------
IP Address
MAC Address PPPoE-SID Origin
--------------------------------------------------------
10.165.5.2
68:7f:74:8b:3d:d7 N/A DHCP
-------------------------------------------------------------------------------
Number of active subscribers : 1
-------------------------------------------------------------------------------
The following output shows the active subscribers view after the user has logged in and the SLA profile has been updated with the unrestricted SLA profile SLAP.
*A:WLAN-GW# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber 68:7f:74:8b:3d:d7 (SUBP_5)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:[2/1/nat-out-ip:2049.3] - sla:SLAP
-------------------------------------------------------------------------------
IP Address
MAC Address PPPoE-SID Origin
--------------------------------------------------------
10.165.5.2
68:7f:74:8b:3d:d7 N/A DHCP
-------------------------------------------------------------------------------
Number of active subscribers : 1
-------------------------------------------------------------------------------
The following output shows the RADIUS statistics for the DHCP authentication.
*A:WLAN-GW# show aaa radius-server-policy "RS_5" statistics
===============================================================================
RADIUS server policy "RS_5" statistics
===============================================================================
Tx transaction requests : 1
Rx transaction responses : 1
Transaction requests timed out : 0
Transaction requests send failed : 0
Packet retries : 0
Transaction requests send rejected : 0
Authentication requests failed : 0
Accounting requests failed : 0
Ratio of access-reject over auth responses : 0%
Transaction success ratio : 100%
Transaction failure ratio : 0%
Statistics last reset at : n/a
Server 1 "Server2" address 10.43.186.2 auth-port 1812 acct-port 1813
-------------------------------------------------------------------------------
Tx request packets : 1
Rx response packets : 1
Request packets timed out : 0
Request packets send failed : 0
Request packets send failed (overload) : 0
Request packets waiting for reply : 0
Response packets with invalid authenticator : 0
Response packets with invalid msg authenticator : 0
Authentication packets failed : 0
Accounting packets failed : 0
Avg auth response delay (10 100 1K 10K) in ms : 7.24 7.24 7.24 7.24
Avg acct response delay (10 100 1K 10K) in ms : n/a
Statistics last reset at : n/a
===============================================================================
The following output shows the CoA statistics after portal authentication.
*A:WLAN-GW# show subscriber-mgmt authentication coa-statistics
===============================================================================
Radius Notify Statistics Change-Of-Authorization Disconnect-Messages
===============================================================================
Requests Received 1 0
Requests Accepted 1 0
Requests Rejected 0 0
Requests Dropped 0 0
No Auth Policy found 0 0
Invalid message 0 0
Out of resources 0 0
Authentication failure 0 0
===============================================================================
Debug
The following is a complete debug of a UE connecting and logging in to the portal. Shortly after logging in, the UE disconnects from the SSID and the subscriber is removed by host-connectivity-verify.
The following debug configuration applies:
debug
router "Base"
radius
packet-type authentication accounting coa
detail-level medium
exit
exit
router "2005"
ip
dhcp
detail-level medium
mode egr-ingr-and-dropped
exit
exit
local-dhcp-server "local_dhcp_2005"
detail-level medium
mode dropped-only
exit
exit
service
id 2005
host-connectivity-verify
mac 68:7f:74:8b:3d:d7
exit
exit
exit
exit
The WLAN-GW is notified of the UE after receiving the first DHCP packet.
1 2014/09/22 10:47:58.46 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005), interface index 3 (GI5),
received DHCP Boot Request on Interface GI5 (2/1/nat-out-ip:2049.3) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[53] Message type: Discover
[61] Client id: (hex) 01 68 7f 74 8b 3d d7
[50] Requested IP addr: 10.165.5.2
[12] Host name: W81VM
[60] Class id: MSFT 5.0
[55] Param request list: len = 13
1 Subnet mask
15 Domain name
3 Router
6 Domain name server
44 NETBIOS name server
46 NETBIOS type
47 NETBIOS scope
31 Router discovery
33 Static route
121 Unknown option
249 Unknown option
252 Unknown option
43 Vendor specific
[255] End
"
DHCP triggers sending the RADIUS Access-Request.
2 2014/09/22 10:47:58.48 EDT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit
Access-Request(1) 10.43.186.2:1812 id 1 len 79 vrid 1 pol RS_5
USER NAME [1] 17 68:7f:74:8b:3d:d7
PASSWORD [2] 16 IyDg9t17sGTbfR/6h0Bs1U
NAS IP ADDRESS [4] 4 10.10.10.165
NAS IDENTIFIER [32] 14 WLAN-GW
"
The UE authentication request is always accepted and the Access-Accept message contains the required subscriber management and IP parameters, in this case, at least the subscriber ID string as well as the pool name to be used by the local DHCP server.
3 2014/09/22 10:47:58.50 EDT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
Access-Accept(2) id 1 len 52 from 10.43.186.2:1812 vrid 1 pol RS_5
VSA [26] 19 Alcatel(6527)
SUBSC ID STR [11] 17 68:7f:74:8b:3d:d7
FRAMED POOL [88] 5 pool1
"
The DHCP request is transmitted to the local DHCP server, which assigns the IP address to the UE.
4 2014/09/22 10:47:58.50 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005),
transmitted DHCP Boot Request to 10.0.0.1 Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 10.165.5.1
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[82] Relay agent information: len = 54
[1] Circuit-id: WLAN-GW|2005|GI5|2/1/nat-out-ip:2049.3
[9] Vendor-Specific info: len = 12
Enterprise [6527] : len = 7
[13] dhcpPool: pool1
[53] Message type: Discover
[61] Client id: (hex) 01 68 7f 74 8b 3d d7
[50] Requested IP addr: 10.165.5.2
[12] Host name: W81VM
[60] Class id: MSFT 5.0
[55] Param request list: len = 13
1 Subnet mask
15 Domain name
3 Router
6 Domain name server
44 NETBIOS name server
46 NETBIOS type
47 NETBIOS scope
31 Router discovery
33 Static route
121 Unknown option
249 Unknown option
252 Unknown option
43 Vendor specific
[255] End
"
5 2014/09/22 10:47:58.50 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005),
received DHCP Boot Reply on 10.0.0.1 Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.165.5.2
siaddr: 10.0.0.1 giaddr: 10.165.5.1
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[82] Relay agent information: len = 54
[1] Circuit-id: WLAN-GW|2005|GI5|2/1/nat-out-ip:2049.3
[9] Vendor-Specific info: len = 12
Enterprise [6527] : len = 7
[13] dhcpPool: pool1
[53] Message type: Offer
[54] DHCP server addr: 10.0.0.1
[51] Lease time: 3600
[1] Subnet mask: 255.255.255.128
[3] Router: 10.165.5.1
[6] Domain name server: 10.43.186.43
[12] Host name: W81VM
[60] Class id: MSFT 5.0
[255] End
"
6 2014/09/22 10:47:58.52 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005), interface index 3 (GI5),
transmitted DHCP Boot Reply to Interface GI5 (2/1/nat-out-ip:2049.3) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.165.5.2
siaddr: 10.0.0.1 giaddr: 10.165.5.1
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[53] Message type: Offer
[54] DHCP server addr: 10.0.0.1
[51] Lease time: 3600
[1] Subnet mask: 255.255.255.128
[3] Router: 10.165.5.1
[6] Domain name server: 10.43.186.43
[12] Host name: W81VM
[60] Class id: MSFT 5.0
[255] End
"
7 2014/09/22 10:47:58.69 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005), interface index 3 (GI5),
received DHCP Boot Request on Interface GI5 (2/1/nat-out-ip:2049.3) Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[53] Message type: Request
[61] Client id: (hex) 01 68 7f 74 8b 3d d7
[50] Requested IP addr: 10.165.5.2
[54] DHCP server addr: 10.0.0.1
[12] Host name: W81VM
[81] client FQDN: rcode1: 0, rcode2: 0, domain name = (hex) 00 57 38 31 56
4d
[60] Class id: MSFT 5.0
[55] Param request list: len = 13
1 Subnet mask
15 Domain name
3 Router
6 Domain name server
44 NETBIOS name server
46 NETBIOS type
47 NETBIOS scope
31 Router discovery
33 Static route
121 Unknown option
249 Unknown option
252 Unknown option
43 Vendor specific
[255] End
"
8 2014/09/22 10:47:58.69 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005),
transmitted DHCP Boot Request to 10.0.0.1 Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 10.165.5.1
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[82] Relay agent information: len = 54
[1] Circuit-id: WLAN-GW|2005|GI5|2/1/nat-out-ip:2049.3
[9] Vendor-Specific info: len = 12
Enterprise [6527] : len = 7
[13] dhcpPool: pool1
[53] Message type: Request
[61] Client id: (hex) 01 68 7f 74 8b 3d d7
[50] Requested IP addr: 10.165.5.2
[54] DHCP server addr: 10.0.0.1
[12] Host name: W81VM
[81] client FQDN: rcode1: 0, rcode2: 0, domain name = (hex) 00 57 38 31 56
4d
[60] Class id: MSFT 5.0
[55] Param request list: len = 13
1 Subnet mask
15 Domain name
3 Router
6 Domain name server
44 NETBIOS name server
46 NETBIOS type
47 NETBIOS scope
31 Router discovery
33 Static route
121 Unknown option
249 Unknown option
252 Unknown option
43 Vendor specific
[255] End
"
9 2014/09/22 10:47:58.69 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005),
received DHCP Boot Reply on 10.0.0.1 Port 67
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.165.5.2
siaddr: 10.0.0.1 giaddr: 10.165.5.1
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[82] Relay agent information: len = 54
[1] Circuit-id: WLAN-GW|2005|GI5|2/1/nat-out-ip:2049.3
[9] Vendor-Specific info: len = 12
Enterprise [6527] : len = 7
[13] dhcpPool: pool1
[53] Message type: Ack
[54] DHCP server addr: 10.0.0.1
[51] Lease time: 3600
[1] Subnet mask: 255.255.255.128
[3] Router: 10.165.5.1
[6] Domain name server: 10.43.186.43
[12] Host name: W81VM
[81] client FQDN: rcode1: 0, rcode2: 0, domain name = (hex) 00 57 38 31 56
4d
[60] Class id: MSFT 5.0
[255] End
"
10 2014/09/22 10:47:58.69 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005), interface index 3 (GI5),
transmitted DHCP Boot Reply to Interface GI5 (2/1/nat-out-ip:2049.3) Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 0.0.0.0 yiaddr: 10.165.5.2
siaddr: 10.0.0.1 giaddr: 10.165.5.1
chaddr: 68:7f:74:8b:3d:d7 xid: 0x8c0fc642
DHCP options:
[53] Message type: Ack
[54] DHCP server addr: 10.0.0.1
[51] Lease time: 3600
[1] Subnet mask: 255.255.255.128
[3] Router: 10.165.5.1
[6] Domain name server: 10.43.186.43
[12] Host name: W81VM
[81] client FQDN: rcode1: 0, rcode2: 0, domain name = (hex) 00 57 38 31 56
4d
[60] Class id: MSFT 5.0
[255] End
"
At this point in the configuration, the UE has network connectivity but all HTTP traffic is redirected to the web portal, as configured in the IP filter included in the initial SLA profile.
After web portal authentication, the WLAN-GW receives a RADIUS CoA for this subscriber, which includes the new unrestricted SLA profile SLAP.
11 2014/09/22 10:48:12.54 EDT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
Change of Authorization(43) id 162 len 71 from 10.43.186.2:55255 vrid 1
VSA [26] 19 Alcatel(6527)
SUBSC ID STR [11] 17 68:7f:74:8b:3d:d7
VSA [26] 8 Alcatel(6527)
SUBSC PROF STR [12] 6 SUBP_5
VSA [26] 6 Alcatel(6527)
SLA PROF STR [13] 4 SLAP
"
12 2014/09/22 10:48:12.54 EDT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit
Change of Authorization Ack(44) 10.43.186.2:55255 id 162 len 20 vrid 1
"
The host has accessed a few web sites, then disconnected from the SSID, which is not known by the WLAN-GW. After 5 minutes of inactivity, host-connectivity-verify removes the subscriber and the DHCP lease is cleared.
13 2014/09/22 10:48:58.90 EDT MINOR: DEBUG #2001 vprn2005 SHCV
"SHCV: Periodic Check
2/1/nat-out-ip:2049.3
DHCP lease state 10.165.5.2 68:7f:74:8b:3d:d7"
14 2014/09/22 10:49:08.90 EDT MINOR: DEBUG #2001 vprn2005 SHCV
"SHCV: Periodic Check
2/1/nat-out-ip:2049.3
DHCP lease state 10.165.5.2 68:7f:74:8b:3d:d7"
15 2014/09/22 10:49:18.90 EDT MINOR: DEBUG #2001 vprn2005 SHCV
"SHCV: Periodic Check
2/1/nat-out-ip:2049.3
DHCP lease state 10.165.5.2 68:7f:74:8b:3d:d7"
16 2014/09/22 10:49:28.90 EDT MINOR: DEBUG #2001 vprn2005 SHCV
"SHCV: Connectivity Lost
2/1/nat-out-ip:2049.3
DHCP lease state 10.165.5.2 68:7f:74:8b:3d:d7"
17 2014/09/22 10:49:30.00 EDT MINOR: DEBUG #2001 vprn2005 PIP
"PIP: DHCP
instance 5 (2005),
transmitted DHCP Boot Request to 10.0.0.1 Port 68
H/W Type: Ethernet(10Mb) H/W Address Length: 6
ciaddr: 10.165.5.2 yiaddr: 0.0.0.0
siaddr: 0.0.0.0 giaddr: 0.0.0.0
chaddr: 68:7f:74:8b:3d:d7 xid: 0x0
DHCP options:
[53] Message type: Release
[54] DHCP server addr: 10.0.0.1
[255] End
"
Conclusion
The 7750 SR WLAN-GW can support many WiFi Offload architectures, including open SSID with portal authentication. WiFi Offload functions such as terminating GRE tunnels or subscribers can be performed in separate routing instances, if required. IP addresses can be assigned from an external or local source and routing can be performed using NAT, by connecting the UE routing instance directly to the Internet, or by leaking routes to other routing instances. Using http-redirect, a web portal can be used to allow users to log in to a paid service or to accept the terms of service for a free WiFi service. Several show commands and debug options are available to help the operator monitor and troubleshoot the solution.